From 0a6047eef1c465c38aacfbdab193161b3f0cd144 Mon Sep 17 00:00:00 2001 From: Linus Torvalds Date: Wed, 28 Jun 2006 17:09:34 -0700 Subject: Fix vsnprintf off-by-one bug The recent vsnprintf() fix introduced an off-by-one, and it's now possible to overrun the target buffer by one byte. The "end" pointer points to past the end of the buffer, so if we have to truncate the result, it needs to be done though "end[-1]". [ This is just an alternate and simpler patch to one proposed by Andrew and Jeremy, who actually noticed the problem ] Acked-by: Andrew Morton Acked-by: Jeremy Fitzhardinge Signed-off-by: Linus Torvalds --- lib/vsprintf.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/vsprintf.c') diff --git a/lib/vsprintf.c b/lib/vsprintf.c index 797428afd111..bed7229378f2 100644 --- a/lib/vsprintf.c +++ b/lib/vsprintf.c @@ -489,7 +489,7 @@ int vsnprintf(char *buf, size_t size, const char *fmt, va_list args) if (str < end) *str = '\0'; else - *end = '\0'; + end[-1] = '\0'; } /* the trailing null byte doesn't count towards the total */ return str-buf; -- cgit v1.2.3